Microsoft has secretly added a packet sniffer into system files during Windows 10 October 2018 update, which remained unnoticed until now. The packet sniffer or network monitor is named PktMon and it resides in system files at c:/windows/system23/. To use it, you need an elevated command prompt or process shell. PktMon can monitor the network traffic from a computer to the packet level. It may be used to troubleshoot network issues, check where traffic is going from the network or even extract information and services in plain text. How to Monitor Network Traffic in Windows 10 Press Windows key and write cmdRight-click cmd and click run as an administrator (a command prompt will open at c:/windows/system32)Now, run following command pktmon pktmon command will show the available commands Add a port for monitoring using the following command such as 80, 21, 53 and so on. You can add multiple ports by executing command for each port pktmon filter add -p 80 pktmon filter add -p 21 pktmon filter add -p 53 The added port can be retrieved by pktmon filter list pktmon filter will add ports to sniff network packet To start the monitoring pktmon start --etw pktmon sniffing the network packets Use the following command to stop the monitoring pktmon stop You can also convert the etl file (which is the default format) to text so that you can easily view it pktmon format PktMon1.etl –o c:\\packets.txt pktmon convert etl to txt to make it readable or use Microsoft network monitor to read the etl file directly. PktMon can be used on the specific adapter of choice by specifying the ID of the adapter and ID can be found by using the PktMon command pktmon comp list and then start pktmon with -c parameter to specify an adapter ID pktmon start --etw -c 1 PktMon can also be used in real-time in the latest version of Windows 10. If you have got Windows 10 May 2020 update (version 2004), you can use the following command to sniff network packets in real-time. pktmon start --etw -m real-time Conclusion PktMon is similar to tcpdump in Linux, but it cannot be compared with Wireshark. PktMon is a CLI tool to capture network traffic. For now, its output is only limited to etl and txt formats. However, when it gets pcap support then it would become a useful app and might be used to capture network packets on servers and remote machines without installing any third-party software. There isn’t any documentation or mention of PktMon packet sniffer on Microsoft site, which makes this utility suspicious and it is still not clear what Microsoft wants from this utility and why it is added.